A vulnerability was discovered on WSO2 products inline API documentation editor page of the API Publisher. A reflected cross-site script (XSS) vulnerability allows an attacker to perform in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful request parameter for ‘docName.’
Securin Zero-Days
CVE-2019-20435 – Reflected Cross-Site Scripting in WSO2 Product
Severity:Medium
Vendor
WSO2
Affected Product
WSO2 API Manager
CVE
CVE-2019-20435
Securin ID
2019-CSW-11-1027
Status
Fixed
Date
June 21, 2019
Description
Proof of Concept (POC):
The POST request docName variable is vulnerable to reflected Cross-Site Scripting (XSS) in the URL, https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag
.png)
Figure 01: New document created in the API.
.png)
Figure 02: Choose ‘Edit Content’ to edit document information.
.png)
Figure 03: Actual GET request URL.
.png)
Figure 04: Crafted request with XSS payload, XSS<img src=x onerror=prompt(1)> gets reflected in the same browser as response.
Impact
By tricking a privileged user into clicking a created URL via email, IM, or a neutral web site, the attacker can make the browser get redirected to a malicious website, which makes changes in the UI of the web page and retrieve information from the browser or harm otherwise. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.
Remediations
Download the relevant patch based on the product version.
|
Code |
Product |
Version |
Patch |
|
AM |
WSO2 API Manager |
2.6.0 |
Timeline
Jun 21, 2019: Discovered in WSO2 API Manager Product version 2.6.0
Jun 21, 2019: Report sent to WS02
Jun 21, 2019: WS02 acknowledged the report
Aug 13, 2019: Vendor informed their customers about the vulnerability
Nov 04, 2019: Public announcement by the vendor about the vulnerability